In the post-Enron era, oil and gas companies are being forced to expand their definition of which documents and information require formal management and to put a greater focus on corporate accountability, compliance and ethical governance.

For oil and gas companies that create, acquire or maintain health-related information for employees and retirees such as insurance claims or injury reports, compliance with Healthcare Insurance Portability and Accountability Act (HIPAA) requirements is necessary. HIPAA governs the privacy and security of medical records and other health-related information. Employers must proactively safeguard health-related information of employees and retirees by implementing policies and procedures related to information access and disclosure. In addition, organizations must provide training to ensure that employees are aware of the appropriate disclosure requirements and restrictions for HIPAA. Records documenting an organization's compliance with HIPAA regulations regarding the handling and disclosure of personal health information must be retained 6 years. Any of these records could be communicated via an instant message or attached to an e-mail message.

Hedging records

Energy companies ("commission merchants") that trade futures in wholesale electricity, gas, coal and fuel oil are subject to regulations of the Commodity Futures Trading Commission (CFTC). A regulated entity must keep systematic records of all transactions, including orders, trading cards, cancelled checks, copies of confirmations, copies of statements of purchase and sale, and all other "records, data, and memoranda, which have been prepared in the course of its business of dealing in commodity futures..." (17 CFR 1.35). The CFTC requires that these records be retained for 5 years and includes e-mail and instant messages if used to document transactions.

Similar to Securities and Exchange Commission record-keeping requirements for broker-dealers, the CFTC requires that the records be preserved exclusively in a non-rewritable, non-erasable format and that duplicate copies be stored at a location separate from the originals. In addition, there must be a system in place that keeps an audit trail of all system actions to verify the integrity of archived records.

Litigation risk management

Under Rule 34 of the Federal Rules of Civil Procedure and its state equivalents, electronic records are potentially discoverable in litigation. Therefore, oil and gas companies need to develop formal records management policies and procedures that provide rational and defensible guidelines on the treatment of electronic records, including e-mail and instant messages.

Records management policy must include provisions for litigation holds to suspend the destruction of records related to ongoing or reasonably anticipated litigation, governmental investigations or audits. Failure to address litigation holds can result in criminal sanctions. In September 2004, Frank Quattrone, a former Credit Suisse First Boston investment banker, was convicted of obstruction of justice and sentenced to an 18-month prison term for sending an e-mail encouraging employees to "clean up" their files while a criminal inquiry of his bank was under way.

Computer backup tapes need to be purposed for disaster recovery needs, not as a repository for maintaining records in case of litigation or investigation. Retrieving e-mail messages from backup tapes can be an arduous task that can cost anywhere from thousands to millions of dollars.

In a lawsuit alleging breach of contract, Murphy Oil USA Inc. attempted to compel Fluor Daniel Inc. to produce relevant e-mail communications that were archived on backup tapes. The judge's final statement on all of this: "Fluor's e-mail retention policy provided that backup tapes were recycled after 45 days. If Fluor had followed this policy, the e-mail issue would be moot." (Murphy Oil USA Inc. v. Fluor Daniel, Inc., 2002)

Message management

Managing electronic messages is particularly challenging since most electronic messaging systems lack the necessary record-keeping functions to properly classify, preserve and dispose of messages in accordance with an organization's records retention policies. But effective management of e-mail and other forms of electronic messaging involves more than just applying technology to the problem. Oil and gas companies seeking to apply records management controls to electronic messaging will need to adopt a comprehensive approach that includes a blending of five components.
Strategic plan for electronic records management: For most oil and gas companies facing the challenge of how to manage and preserve e-mail and instant messages, the immediate problem is their lack of an overall electronic records management strategy. Since more than 90% of new corporate data is generated electronically, this is a significant management challenge. E-mail and instant messages pose the highest risk related to electronic records and tend to be the first and most important electronic records management implementation that companies undertake. Above all, e-mail and instant message management and preservation require the development of an information culture that accepts e-mail, instant messages and other electronic forms of electronic communication as potential business records.

Policy management

Oil and gas companies need a clearly stated, organization-wide policy that defines the organization's position regarding electronic messaging; projects an image of good faith; and can withstand scrutiny during litigation, audit, or investigation. The key issues to be addressed in an electronic messaging policy are listed in the checklist.

Technical solutions: Three types of technical solutions are available to assist in implementing an organization's approved electronic messaging policy: native solutions, Records Management Applications (RMAs) and outsourced message archiving systems. Native solutions leverage the built-in capabilities of an electronic messaging system to address message retention and records management issues. In Microsoft Exchange, features such as automatic deletion of messages and public foldering might be adapted for a "homegrown" solution. Other messaging system vendors will have similar message management features.

RMAs provide the following functionality:

• Implementing Records Retention Schedules. The ability to create and edit records retention schedules and their components.

• Declaring Records. Processes that allow users to declare a message as a record, or which automate the procedure of determining which messages are deemed to be official organization records versus transitory non-records. Items identified as records are removed from the users' control and placed under the jurisdiction of the policies defined in the RMA.

• Classifying Records. Having declared a message to be a record, it must now be determined where within the organization's records retention schedule the message belongs. In some cases this is done by the users who must classify messages by selecting a category or code from a list or other methods. In other cases this is done "automatically" via an autoclassification engine integrated with the RMA.
• Scheduling Records. Each classification in the retention schedule is associated with a specific retention rule and is assigned a retention period and disposition date. Retention and destruction are then controlled by the RMA.

Outsourced message archiving solutions provide repositories for long-term preservation with tools for searching and viewing messages and attachments. E-mail messages may be forwarded from an organization's e-mail systems to an archiving service provider via the public Internet, private line or virtual private network (VPN). Advantages of this approach include better management of message storage costs, improved system performance by reducing the volume of messages the system must store and manage, and a common index and repository for both e-mail and instant messaging that simplifies search and retrieval of messages in support of discovery and audit activities.

• Communications and training. All users of an organization's messaging systems should be provided with training, not solely on the technology and its use but also on the existence, requirements, purpose and importance of the electronic messaging policy. Training may be provided as part of new employee orientation, or an organization may host periodic seminars to discuss the policy and answer employee questions. E-mail and Intranet systems can be used to remind employees of the policy and management's commitment to enforcement.

• Compliance monitoring. Compliance monitoring or audits should be regularly undertaken to ensure that employees are carrying out the policies, procedures and processes according to the organization's requirements. The policy should state that violations of the policy and associated procedures are taken very seriously and may result in disciplinary action, up to and including termination of employment, and possible civil and criminal liability. Where areas of non-compliance are discovered, the organization should take action to address them and bring them into compliance.

Conclusion

The oil and gas industry is becoming increasingly aware that failing to implement a successful electronic message management program can expose them to untenable risk. The challenge lies in adopting a balanced position that encourages use of technologies as they migrate to the mainstream and continue to support necessary customer interactions, all the while controlling risks in network and data security as well as regulatory compliance.

Comments